If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Norton Firewall Alert Analysis

I got back from class tonight, and got this message on the pic attached, and the other pic is the norton trace of the IP.

I use Norton personal firewall, along with Norton AV and Ad aware, spybot, all are updated and ran very frequently.

Here is the log entry:

Details: This one time, the user has chosen to "block" communications
Inbound TCP connection
Local address,service is (asdfasd-3v39q1qzj(xxx.xxx.xxx.xxx),1025)
Remote address,service is (xxx.xxxx.xxx.xxx,3442)
Process name is "C:\WINDOWS\System32\svchost.exe"

Basically, I am worried because I wasn't around when Norton asked permission to allow it access to the internet. It happened by itself, not from my normal use. Port 1025 on google came up with internet Blackjack. I don't use anyform of card game on this box. I have found threads on AO about closing it, but I am worried that something is wrong because it attempted to connect by itself.

I am concerned because C:\WINDOWS\System32\svchost.exe doesn't look like blackjack. My specific questions are, what caused this, why was it random, is there someone on the other end at the University of Vermont screwing with me, and are they worth reporting?

This one time, the user has chosen to "block" communications
Inbound TCP connection
Local address,service is (blahblahblah-3v39q1qzj(xxx.xxx.xxx.xxx),1025)
Remote address,service is (xxx.xxx.xxx.xxx,3056)
Process name is "C:\WINDOWS\System32\svchost.exe"

Others say that ports 1025-1026 are needed to communicate with the domain controller which is using the DNS Client service. (RPC)

Some say (blackhats) that 1025 is used by the AT service. (task scheduler)

Killing any of those services doesn't close port 1025 for me.
(in fact, they were not running on my machine and I still had 1025 listening on 0.0.0.0)
I have NIS and I have that service blocked for that port. Hasn't caused me any harm as of yet. (crosses fingers)

Run a sniffer and see what kind of data its trying to send.

Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

hey soda never mind my personal message to you. I remember now, I had found that someone had reinstalled norton internet security without removing it, Becuase it kept on saying that "norton is waiting for a scan of download #862487632" and the download # isn't important but norton kept scanning the same file over and over from kazzalite. So then my freind didnt tell me that he reinstalled norton. The reason he reinstalled it because the computer was practicly freezing while norton was going thru the scanning process. Needless to say after he reinstalled it without removel it began the alert popup I traced it back to lucomserver which is norton's update server. Anyway I removed all and reinstalled and the problem is gone sorry for the confusion...

svchost.exe is a generic host process used by WinXP. It can be used to exchange data for any number of purposes. I was plugged into a customers Verizon DSL last week for a few hours and I blocked atleast 20+ attempts to access svchost.exe via port 1025. Probably a worm or someone scanning for access to a popular trojan.

svchost is exactly as it's name implies. It hosts services that cannot host themselves, usually DLL's.

Read this and you should be able to determine what it is opening 1025.

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.